[8u] request for review: 8062552 Support keystore type detection for JKS and PKCS12 keystores

Thomas Lußnig openjdk at suche.org
Sat May 23 08:42:17 UTC 2015


Hi,

1) Would it not be an good idea to check the first bytes of the message
so that the dual class already know what type the stream is
and there is no unnecessary instanciation of exceptions and engine class?
2) If we add an "smart" keystore why we limit it to two types? I do not
see any reason why it should not be possible to add other store types to:
 - JCEKS
 - PKCS11
 It could be extended via securit property
 java.security.smartKeystore.<N>.type = PKCS11
 java.security.smartKeystore.<N>.magic = <HexSequence> (Optional for
Performance)
 java.security.smartKeystore.<N>.engineClass = CanonicalEngine Class Name

This would be only an small code change but an usefull improvement.

Gruß Thomas


On 22.05.2015 22:01, Sean Mullan wrote:
> Looks fine to me.
>
> --Sean
>
> On 05/22/2015 03:10 PM, Vincent Ryan wrote:
>> Thanks Thomas and Sean for your review comments.
>>
>> KeyStoreDelegator matches the JDK 9 version. I’ve moved it to the
>> sun.security.package and modified it as suggested.
>> I also made JavaKeyStore package-private but DualFormatJKS needs to
>> remain public.
>> The cert in trusted.pem is an arbitrary X.509 cert and I’ve added a
>> comment in the TestKeystoreCompat test.
>>
>> A new webrev is available at:
>> http://cr.openjdk.java.net/~vinnie/8062552/webrev.02/


More information about the security-dev mailing list